Understanding User Account Capabilities, Privileges, and Rights
All user accounts have specific capabilities, privileges, and rights. When you create a user account, you can grant the user specific capabilities by making the user a member of one or more groups. This gives the user the capabilities of these groups. You then assign additional capabilities by making a user a member of the appropriate groups or withdraw capabilities by removing a user from a group.
In Windows Server 2008, some capabilities of accounts are built in. The built-in capabilities of accounts are assigned to groups and include the group's automatic capabilities. Although built-in capabilities are predefined and unchangeable, they can be granted to users by making them members of the appropriate group or delegated by granting the capability specifically, for example, the ability to create, delete, and manage user accounts. This capability is assigned to administrators and account operators. Thus, if a user is a member of the Administrators group, the user can create, delete, and manage user accounts.
Other capabilities of accounts, such as permissions, privileges, and logon rights, can be assigned. The access permissions for accounts define the operations that can be performed on network resources. For example, permissions control whether a user can access a particular shared folder. You can assign access permissions to users, computers, and groups. The privileges of an account grant permissions to perform specific tasks, such as the ability to change the system time. The logon rights of an account grant logon permissions, such as the ability to log on locally to a server.
An important part of an administrator's job is being able to determine and set permissions, privileges, and logon rights as necessary. Although you can't change a group's built-in capabilities, you can change a group's default privileges and logon rights. For example, you could revoke network access to a computer by removing a group's right to access the computer from the network. Table-1 provides an overview of the default privileges assigned to groups. Table-2 provides an overview of the default logon rights assigned to groups.
Table-1 Default Privileges Assigned to Groups| Privilege | Description | Groups Assigned by Default in Domains |
|---|---|---|
| Act As Part Of The Operating System | Allows a process to authenticate as any user. Processes that require this privilege must use the LocalSystem account, which already has this privilege. | None |
| Add Workstations To Domain | Allows users to add new computers to an existing domain. | Authenticated Users |
| Adjust Memory Quotas For A Process | Allows users to set the maximum amount of memory a process can use. | Administrators, Local Service, and Network Service |
| Back Up Files And Directories | Allows users to back up the system regardless of the permissions set on files and directories. | Administrators, Backup Operators, and Server Operators |
| Bypass Traverse Checking | Allows users to go through directory trees even if a user doesn't have permissions to access the directories being passed through. The privilege doesn't allow the user to list directory contents. | Administrators, Authenticated Users, Everyone, Local Service, and Network Service |
| Change The System Time | Allows users to set the time for the computer's clock. | Administrators, Server Operators, and Local Service |
| Change The Time Zone | Allows users to set the time zone for the system clock. | Administrators, Server Operators, and Local Service |
| Create A Pagefile | Allows users to create and modify the paging file size for virtual memory. | Administrators |
| Create A Token Object | Allows processes to create token objects that can be used to gain access to local resources. Processes that require this privilege must use the LocalSystem account, which already has this privilege. | None |
| Create Global Objects | Allows a process to create global directory objects. Most components already have this privilege and it's not necessary to specifically assign it. | Administrators, Service, Local Service, and Network Service |
| Create Permanent Shared Objects | Allows processes to create directory objects in the Windows object manager. Most components already have this privilege and it's not necessary to specifically assign it. | None |
| Create Symbolic Link | Allows an application that a user is running to create symbolic links. Symbolic links make it appear as if a document or folder is in a specific location when it actually resides in another location. Use of symbolic links is restricted by default to enhance security. | Administrators |
| Debug Programs | Allows users to perform debugging. | Administrators |
| Enable User And Computer Accounts To Be Trusted For Delegation | Permits users and computers to change or apply the trusted account for delegation setting, provided they have write access to the object. | Administrators |
| Force Shutdown Of A Remote System | Allows users to shut down a computer from a remote location on the network. | Administrators and Server Operators |
| Generate Security Audits | Allows processes to make security log entries for auditing object access. | Local Service and Network Service |
| Increase A Process Working Set | Allows an application that a user is running to increase the memory that the related process working set uses. A process working set is the set of memory pages currently visible to a process in physical memory. Allowing for increases in memory pages reduces page faults and enhances performance. | Users |
| Increase Scheduling Priority | Allows processes with write access to a process to increase the scheduling priority assigned to those processes. | Administrators |
| Load And Unload Device Drivers | Allows users to install and uninstall Plug and Play device drivers. This doesn't affect device drivers that aren't Plug and Play, which can only be installed by administrators. | Administrators and Printer Operators |
| Lock Pages In Memory | In Windows NT, allowed processes to keep data in physical memory, preventing the system from paging data to virtual memory on disk. | Not used in Windows 2000 or later |
| Manage Auditing And Security Log | Allows users to specify auditing options and access the security log. You must turn on auditing in the group policy first. | Administrators |
| Modify An Object Label | Allows a user process to modify the integrity label of objects, such as files, Registry keys, or processes owned by other users. This privilege can be used to lower the priority of other processes. Processes running under a user account can modify the label of any object the user owns without requiring this privilege. | None |
| Modify Firmware Environment Values | Allows users and processes to modify system environment variables (not user environment variables). | Administrators |
| Perform Volume Maintenance Tasks | Allows administration of removable storage, disk defragmenter, and disk management. | Administrators |
| Profile A Single Process | Allows users to monitor the performance of non-system processes. | Administrators on domain controllers; on member servers and workstations, Administrators and Users |
| Profile System Performance | Allows users to monitor the performance of system processes. | Administrators |
| Remove Computer From Docking Station | Allows undocking a laptop and removing from network. | Administrators and Users |
| Replace A Process Level Token | Allows processes to modify the default token for subprocesses. | Local Service and Network Service |
| Restore Files And Directories | Allows restoring backed-up files and directories, regardless of the permissions set on files and directories. | Administrators, Backup Operators, and Server Operators |
| Shut Down The System | Allows shutting down the local computer. | Administrators, Backup Operators, Print Operators, and Server Operators |
| Synchronize irectory Service Data | Allows users to synchronize directory service data on domain controllers. | None |
| Take Ownership Of Files Or Other Objects | Allows users to take ownership of any Active Directory objects. | Administrators |
| Logon Right | Description | Groups Assigned by Default in Domains |
|---|---|---|
| Access Credential Manager As A Trusted Caller | Grants permission to establish a trusted connection to Credential Manager. Credentials, such as a user name and password or smart card, provide identifi cation and proof of identifi cation. | None |
| Access This Computer From The Network | Permits remote access to the computer. | Administrators, Authenticated Users, and Everyone |
| Allow Logon Locally | Grants permission to log on to the computer interactively at the console. | Administrators, Account Operators, Backup Operators, Print Operators, and Server Operators |
| Allow Logon Through Terminal Services | Allows access through Terminal Services; necessary for remote assistance and remote desktop. | None |
| Deny Access To This Computer From The Network | Denies remote access to the computer through network services. | None |
| Deny Logon As Batch Job | Denies the right to log on through a batch job or script. | None |
| Deny Logon As Service | Denies the right to log on as a service. | None |
| Deny Logon Locally | Denies the right to log on to the computer's keyboard. | None |
| Deny Logon Through Terminal Services | Denies right to log on through Terminal Services. | None |
| Log On As A Batch Job | Grants permission to log on as a batch job or script. | Administrators, Backup Operators, and Performance Log Users |
| Log On As A Service | Grants permission to log on as a server. LocalSystem account has this right. Services that run under separate accounts should be assigned this right. | None |
In this tutorial:
- Managing Users, Groups, and Computers
- Managing Domain User Accounts
- Configuring User Account Policies
- Enforcing Password Policy
- Configuring Account Lockout Policy
- Creating Password Settings Objects and Applying Secondary Settings
- Understanding User Account Capabilities, Privileges, and Rights
- Assigning User Rights
- Creating and Configuring Domain User Accounts
- Configuring Account Options
- Configuring Profile Options
- Troubleshooting User Accounts
- Implementing and Creating Preconfigured Profiles
- Configuring Local User Profiles
- Implementing Mandatory User Profiles
- Managing User Data
- Using Offline Files
- Configuring Offline Files on Clients
- Maintaining User Accounts
- Moving User Accounts
- Resetting a User's Domain Password
- Creating a User Account Password Backup
- Managing Groups
- Understanding the Scopes of Groups
- Creating a Group
- Creating group accounts at the command line
- Modifying Groups
- Managing Computer Accounts
- Moving a Computer Account
- Configuring Properties of Computer Accounts
- Troubleshooting Computer Accounts